Describe the bug

We discovered that the OIDC state parameter is required in order to parse the redirect URI properly. If no state is issued, the callback will not be parsed and instead a fresh login will be performed.

I consider this a bug as the OIDC spec only requires the state parameter if it was present in the request, but if the request did not contain a state (I'll add details from our context under Anything else) it should accept it. Also, even if we would assume that behavior is intended, I believe that the parsing logic should not silently fail and at least a warning should be logged.

Version

26.1.4

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

We perform user registrations using an API request. When a user verifies the E-Mail he is being redirected to a page which uses keycloak-js. As the initial authorization request is coming from an action token it will not contain a state parameter. The issue now is, that keycloak-js will attempt to start a new login but with the current window location including the callback params.
In our case we experience then issues with a firewall policy as it will lead to a double encoded iss parameter.

I'm also willing to create a PR if you confirm that behavior is a bug.